Open-source scanner can identify risky Microsoft SCCM configurations

April 15, 2024 – Published on CSO Online

One of the researchers that recently compiled a knowledge base of common misconfigurations and attack techniques impacting Microsoft System Center Configuration Manager (SCCM), has developed an open-source scanner to help administrators more easily identify those weaknesses in their SCCM environments.

His new scanner is implemented as a PowerShell script called MisconfigurationManager.ps1 and is available on GitHub. For now it is able to identify insecure configurations that enable eight of the nine SCCM hierarchy takeover techniques described in the knowledge base, as well as two techniques that can be used for privilege escalation and lateral movement.

SCCM allows system administrators to remotely deploy applications, software updates, operating systems and compliance settings to a wide range of Windows servers and workstations. It is a Microsoft technology that has existed under various names for almost 30 years and is extremely widespread in Active Directory environments. This also means the technology has a large amount of technical debt from many years of development, with many of its default configurations being insecure.

Many researchers have documented SCCM security risks and attacks over the years, highlighting that it’s an often overlooked attack surface. Just two weeks ago, researchers from GuidePoint Security presented a method of compromising the SCCM client push account and SCCM machine account, which can lead to a full SCCM site takeover.

Read More HERE.